11549. (a) There is in state government, in the California
Technology Agency, the Office of Information Security. The purpose of
the Office of Information Security is to ensure the confidentiality,
integrity, and availability of state systems and applications, and
to promote and protect privacy as part of the development and
operations of state systems and applications to ensure the trust of
the residents of this state.
(b) The office shall be under the direction of a director, who
shall be appointed by, and serve at the pleasure of, the Governor.
The director shall report to the Secretary of California Technology,
and shall lead the Office of Information Security in carrying out its
mission.
(c) The duties of the Office of Information Security, under the
direction of the director, shall be to provide direction for
information security and privacy to state government agencies,
departments, and offices, pursuant to Section 11549.3.
(d) (1) Unless the context clearly requires otherwise, whenever
the term "Office of Information Security and Privacy Protection"
appears in any statute, regulation, or contract, it shall be deemed
to refer to the Office of Information Security, and whenever the term
"executive director of the Office of Information Security and
Privacy Protection" appears in statute, regulation, or contract, it
shall be deemed to refer to the Director of the Office of Information
Security.
(2) All employees serving in state civil service, other than
temporary employees, who are engaged in the performance of functions
transferred from the Office of Information Security and Privacy
Protection to the Office of Information Security, are transferred to
the Office of Information Security. The status, positions, and rights
of those persons shall not be affected by their transfer and shall
continue to be retained by them pursuant to the State Civil Service
Act (Part 2 (commencing with Section 18500) of Division 5), except as
to positions the duties of which are vested in a position exempt
from civil service. The personnel records of all transferred
employees shall be transferred to the Office of Information Security.
(3) The property of any office, agency, or department related to
functions transferred to the Office of Information Security is
transferred to the Office of Information Security. If any doubt
arises as to where that property is transferred, the Department of
General Services shall determine where the property is transferred.
(4) All unexpended balances of appropriations and other funds
available for use in connection with any function or the
administration of any law transferred to the Office of Information
Security shall be transferred to the Office of Information Security
for the use and for the purpose for which the appropriation was
originally made or the funds were originally available. If there is
any doubt as to where those balances and funds are transferred, the
Department of Finance shall determine where the balances and funds
are transferred.
11549.1. As used in this article, the following terms have the
following meanings:
(a) "Director" means the Director of the Office of Information
Security.
(b) "Office" means the Office of Information Security.
(c) "Program" means an information security program established
pursuant to Section 11549.3.
11549.3. (a) The director shall establish an information security
program. The program responsibilities include, but are not limited
to, all of the following:
(1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for all of the following:
(A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
(3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
(4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each agency's
disaster recovery plan.
(5) Coordination of the activities of agency information security
officers, for purposes of integrating statewide security initiatives
and ensuring compliance with information security and privacy
policies and standards.
(6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
(7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
(b) An information security officer appointed pursuant to Section
11546.1 shall implement the policies and procedures issued by the
Office of Information Security, including, but not limited to,
performing all of the following duties:
(1) Comply with the information security and privacy policies,
standards, and procedures issued pursuant to this chapter by the
Office of Information Security.
(2) Comply with filing requirements and incident notification by
providing timely information and reports as required by policy or
directives of the office.
(c) The office may conduct, or require to be conducted,
independent security assessments of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
(d) The office may require an audit of information security to
ensure program compliance, the cost of which shall be funded by the
state agency, department, or office being audited.
(e) The office shall report to the California Technology Agency
any state agency found to be noncompliant with information security
program requirements.
11549.4. The office shall consult with the State Chief Information
Officer, the California Emergency Management Agency, the Director of
General Services, the Director of Finance, and any other relevant
agencies concerning policies, standards, and procedures related to
information security and privacy.
11549. (a) There is in state government, in the California
Technology Agency, the Office of Information Security. The purpose of
the Office of Information Security is to ensure the confidentiality,
integrity, and availability of state systems and applications, and
to promote and protect privacy as part of the development and
operations of state systems and applications to ensure the trust of
the residents of this state.
(b) The office shall be under the direction of a director, who
shall be appointed by, and serve at the pleasure of, the Governor.
The director shall report to the Secretary of California Technology,
and shall lead the Office of Information Security in carrying out its
mission.
(c) The duties of the Office of Information Security, under the
direction of the director, shall be to provide direction for
information security and privacy to state government agencies,
departments, and offices, pursuant to Section 11549.3.
(d) (1) Unless the context clearly requires otherwise, whenever
the term "Office of Information Security and Privacy Protection"
appears in any statute, regulation, or contract, it shall be deemed
to refer to the Office of Information Security, and whenever the term
"executive director of the Office of Information Security and
Privacy Protection" appears in statute, regulation, or contract, it
shall be deemed to refer to the Director of the Office of Information
Security.
(2) All employees serving in state civil service, other than
temporary employees, who are engaged in the performance of functions
transferred from the Office of Information Security and Privacy
Protection to the Office of Information Security, are transferred to
the Office of Information Security. The status, positions, and rights
of those persons shall not be affected by their transfer and shall
continue to be retained by them pursuant to the State Civil Service
Act (Part 2 (commencing with Section 18500) of Division 5), except as
to positions the duties of which are vested in a position exempt
from civil service. The personnel records of all transferred
employees shall be transferred to the Office of Information Security.
(3) The property of any office, agency, or department related to
functions transferred to the Office of Information Security is
transferred to the Office of Information Security. If any doubt
arises as to where that property is transferred, the Department of
General Services shall determine where the property is transferred.
(4) All unexpended balances of appropriations and other funds
available for use in connection with any function or the
administration of any law transferred to the Office of Information
Security shall be transferred to the Office of Information Security
for the use and for the purpose for which the appropriation was
originally made or the funds were originally available. If there is
any doubt as to where those balances and funds are transferred, the
Department of Finance shall determine where the balances and funds
are transferred.
11549.1. As used in this article, the following terms have the
following meanings:
(a) "Director" means the Director of the Office of Information
Security.
(b) "Office" means the Office of Information Security.
(c) "Program" means an information security program established
pursuant to Section 11549.3.
11549.3. (a) The director shall establish an information security
program. The program responsibilities include, but are not limited
to, all of the following:
(1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for all of the following:
(A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
(3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
(4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each agency's
disaster recovery plan.
(5) Coordination of the activities of agency information security
officers, for purposes of integrating statewide security initiatives
and ensuring compliance with information security and privacy
policies and standards.
(6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
(7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
(b) An information security officer appointed pursuant to Section
11546.1 shall implement the policies and procedures issued by the
Office of Information Security, including, but not limited to,
performing all of the following duties:
(1) Comply with the information security and privacy policies,
standards, and procedures issued pursuant to this chapter by the
Office of Information Security.
(2) Comply with filing requirements and incident notification by
providing timely information and reports as required by policy or
directives of the office.
(c) The office may conduct, or require to be conducted,
independent security assessments of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
(d) The office may require an audit of information security to
ensure program compliance, the cost of which shall be funded by the
state agency, department, or office being audited.
(e) The office shall report to the California Technology Agency
any state agency found to be noncompliant with information security
program requirements.
11549.4. The office shall consult with the State Chief Information
Officer, the California Emergency Management Agency, the Director of
General Services, the Director of Finance, and any other relevant
agencies concerning policies, standards, and procedures related to
information security and privacy.
11549. (a) There is in state government, in the California
Technology Agency, the Office of Information Security. The purpose of
the Office of Information Security is to ensure the confidentiality,
integrity, and availability of state systems and applications, and
to promote and protect privacy as part of the development and
operations of state systems and applications to ensure the trust of
the residents of this state.
(b) The office shall be under the direction of a director, who
shall be appointed by, and serve at the pleasure of, the Governor.
The director shall report to the Secretary of California Technology,
and shall lead the Office of Information Security in carrying out its
mission.
(c) The duties of the Office of Information Security, under the
direction of the director, shall be to provide direction for
information security and privacy to state government agencies,
departments, and offices, pursuant to Section 11549.3.
(d) (1) Unless the context clearly requires otherwise, whenever
the term "Office of Information Security and Privacy Protection"
appears in any statute, regulation, or contract, it shall be deemed
to refer to the Office of Information Security, and whenever the term
"executive director of the Office of Information Security and
Privacy Protection" appears in statute, regulation, or contract, it
shall be deemed to refer to the Director of the Office of Information
Security.
(2) All employees serving in state civil service, other than
temporary employees, who are engaged in the performance of functions
transferred from the Office of Information Security and Privacy
Protection to the Office of Information Security, are transferred to
the Office of Information Security. The status, positions, and rights
of those persons shall not be affected by their transfer and shall
continue to be retained by them pursuant to the State Civil Service
Act (Part 2 (commencing with Section 18500) of Division 5), except as
to positions the duties of which are vested in a position exempt
from civil service. The personnel records of all transferred
employees shall be transferred to the Office of Information Security.
(3) The property of any office, agency, or department related to
functions transferred to the Office of Information Security is
transferred to the Office of Information Security. If any doubt
arises as to where that property is transferred, the Department of
General Services shall determine where the property is transferred.
(4) All unexpended balances of appropriations and other funds
available for use in connection with any function or the
administration of any law transferred to the Office of Information
Security shall be transferred to the Office of Information Security
for the use and for the purpose for which the appropriation was
originally made or the funds were originally available. If there is
any doubt as to where those balances and funds are transferred, the
Department of Finance shall determine where the balances and funds
are transferred.
11549.1. As used in this article, the following terms have the
following meanings:
(a) "Director" means the Director of the Office of Information
Security.
(b) "Office" means the Office of Information Security.
(c) "Program" means an information security program established
pursuant to Section 11549.3.
11549.3. (a) The director shall establish an information security
program. The program responsibilities include, but are not limited
to, all of the following:
(1) The creation, updating, and publishing of information security
and privacy policies, standards, and procedures for state agencies
in the State Administrative Manual.
(2) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies to effectively
manage security and risk for all of the following:
(A) Information technology, which includes, but is not limited to,
all electronic technology systems and services, automated
information handling, system design and analysis, conversion of data,
computer programming, information storage and retrieval,
telecommunications, requisite system controls, simulation, electronic
commerce, and all related interactions between people and machines.
(B) Information that is identified as mission critical,
confidential, sensitive, or personal, as defined and published by the
office.
(3) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies for the
collection, tracking, and reporting of information regarding security
and privacy incidents.
(4) The creation, issuance, and maintenance of policies,
standards, and procedures directing state agencies in the
development, maintenance, testing, and filing of each agency's
disaster recovery plan.
(5) Coordination of the activities of agency information security
officers, for purposes of integrating statewide security initiatives
and ensuring compliance with information security and privacy
policies and standards.
(6) Promotion and enhancement of the state agencies' risk
management and privacy programs through education, awareness,
collaboration, and consultation.
(7) Representing the state before the federal government, other
state agencies, local government entities, and private industry on
issues that have statewide impact on information security and
privacy.
(b) An information security officer appointed pursuant to Section
11546.1 shall implement the policies and procedures issued by the
Office of Information Security, including, but not limited to,
performing all of the following duties:
(1) Comply with the information security and privacy policies,
standards, and procedures issued pursuant to this chapter by the
Office of Information Security.
(2) Comply with filing requirements and incident notification by
providing timely information and reports as required by policy or
directives of the office.
(c) The office may conduct, or require to be conducted,
independent security assessments of any state agency, department, or
office, the cost of which shall be funded by the state agency,
department, or office being assessed.
(d) The office may require an audit of information security to
ensure program compliance, the cost of which shall be funded by the
state agency, department, or office being audited.
(e) The office shall report to the California Technology Agency
any state agency found to be noncompliant with information security
program requirements.
11549.4. The office shall consult with the State Chief Information
Officer, the California Emergency Management Agency, the Director of
General Services, the Director of Finance, and any other relevant
agencies concerning policies, standards, and procedures related to
information security and privacy.
